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Abstract.  We  describe  the  IC3/PDR  algorithms  and  their  various  gen¬ 
eralizations.  Our  goal  is  to  give  a  brief  overview  of  the  algorithms  and 
describe  them  using  unified  notation.  Many  crucial  optimizations  and 
implementation  details  are  omitted. 


1  Constrained  Horn  Clauses 

Given  the  sets  T  of  function  symbols,  V  of  predicate  symbols,  and  V  of  variables, 
a  Constrained  Horn  Clause  (CHC)  is  a  First  Order  Logic  (FOL)  formula  of  the 
form: 

VV  •  (</> Api[Ai]  A  •  •  ■  Apk[Xk\  ->  h[X]),  for  k  >  0 

where:  cf>  is  a  constraint  over  T  and  V  with  respect  to  some  background  theory 
A;  Xi,X  C  V  are  (possibly  empty)  vectors  of  variables;  Pi[Xi]  is  an  applica¬ 
tion  p(t\,...,tn)  °f  an  n- ary  predicate  symbol  p  £  V  for  first-order  terms  ti 
constructed  from  T  and  Xp,  and  h[X]  is  either  defined  analogously  to  pi  or  is 
"P-free  (i.e.,  no  V  symbols  occur  in  h).  Here,  h  is  called  the  head  of  the  clause 
and  <j>  A  pi[Xi]  A  ...  A  pk[ Xk\  is  called  the  body.  A  clause  is  called  a  query  if 
its  head  is  P-free,  and  otherwise,  it  is  called  a  rule.  A  rule  with  body  true  is 
called  a  fact.  We  say  a  clause  is  linear  if  its  body  contains  at  most  one  predicate 
symbol,  otherwise,  it  is  called  non-linear.  In  this  paper,  we  follow  the  Con¬ 
straint  Logic  Programming  (CLP)  convention  of  representing  Horn  clauses  as 
h[X]^f,p1[X1},...,pk[Xk}. 

A  CHC  with  constraint  (f>  is  satisfiable  if  there  exists  an  interpretation  I  of 
the  predicate  symbols  V  such  that  each  constraint  (j>  is  true  under  I.  A  set  77  of 
CHCs  is  satisfiable  if  there  exists  an  interpretation  I  that  satisfies  all  clauses  in 

77. 

Satisfiability  of  a  set  77  of  linear  CHC  is  reducible  to  satisfiability  of  3  clauses 
of  the  form: 


Init(X)  ->  P{X)  (1) 

P{X)  -»  Bad(X)  (2) 

P{X)  A  Tr{X,  X')  P(X')  (3) 
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Input:  A  safety  problem  (Init(X),  Tr(X,  X'),  Bad(X)). 

Output:  Unreachable  or  Reachable 

Data:  A  cex  queue  Q,  where  c  £  Q  is  a  pair  ( m,i ),  m  is  a  cube  over  state 
variables,  and  i  £  N.  A  level  N.  A  trace  Fo,  Fi, . . . 

Initially:  Q  =  0,  N  =  0,  Fo  =  Init,  Vi  >  0  ■  Fi  =  0. 

repeat 

Unreachable  If  there  is  an  i  <  N  s.t.  Fi+ 1  C  Fi  return  Unreachable. 

Reachable  If  there  is  an  m  s.t.  (m,  0}  £  Q  return  Reachable. 

Unfold  If  Fn  — >  -<Bad,  then  set  N  4—  N  +  1. 

Candidate  If  for  some  m,  m  Fn  A  Bad,  then  add  (m,  N)  to  Q. 

Decide  If  (m,  i  +  1}  £  Q  and  there  are  mo  and  mi  s.t.  mi  — >  m,  mo  A  mi  is 
satishable,  and  mo  A  mi  — »  Fi  A  Tr  A  m' ,  then  add  (mo,  i)  to  Q. 

Conflict  For  0  <  i  <  N:  given  a  candidate  model  (m,  i  +  1)  £  Q  and  clause  p,  such 
that  p  — ►  -i m,  if  Init  —¥  p,  and  p  A  Ft  A  Tr  — >•  y/,  then  add  p  to  Fj,  for  j  <  i  +  1. 

Leaf  If  (m,  i)  £  Q,  0  <  i  <  N  and  Fi- 1  A  Tr  Am'  is  unsatisfiable,  then  add  (m,  i  +  1) 
to  Q. 

Induction  For  0  <  i  <  N  and  a  clause  (p  V  ip)  £  Fi,  if  p  £  F’i+i,  Init  — >  and 

p  A  Fi  A  Tr  ^  p' ,  then  add  y  to  Fj,  for  each  j  <  i  +  1. 

until  oo ; 

Algorithm  1:  IC3/PDR. 


where  A  is  a  set  of  variables,  X'  =  {x'  \  x  £  X},  P  is  a  new  predicate,  and  Init, 
Tr,  and  Bad  are  constraints.  We  call  this  reduced  problem  Safety,  and  present 
it  as  a  triple  (Init,  Tr,  Bad). 

Satisfiability  of  a  set  77  of  non-linear  CHC  is  reducible  to  satisfiability  of  3 
clauses  of  the  form: 

Init(X)  ->•  P(X)  (4) 

P(X)  Bad(X)  (5) 

P(X)AP(X°)A  Tr(X,X°,X') P(X')  (6) 

where,  X°  =  {x°  \  x  £  X}  and  the  rest  is  defined  as  before.  We  call  this  reduced 
problem  Safety  as  well  and  present  it  as  a  triple  (Init,  Tr,  Bad).  Note  that  the 
only  difference  between  the  linear  and  non-linear  case  is  that  Tr  depends  on  two 
sets  of  state- variables:  X  and  X° . 

2  IC3  and  PDR 

The  finite  state  model  checking  algorithm  IC3  was  introduced  in  [2]  and  its  vari¬ 
ant  PDR  in  [3].  It  maintains  sets  of  clauses  F0, . . . ,  Ft, . . . ,  Fn,  called  a  trace, 
that  are  properties  of  states  reachable  in  i  steps  from  the  initial  states  Init. 
Elements  of  Ft  are  called  lemmas.  In  the  following,  we  assume  that  Fq  is  initial¬ 
ized  to  Init.  After  establishing  that  Init  — ►  -> Bad ,  the  algorithm  maintains  the 
following  invariants  (for  0  <  i  <  TV): 


Invariant  1 


Fi  — >  -i Bad  Fi  — >  -Fj-i-i  Fi  A  Tr  — >  F'i+l 

That  is,  each  Ft  is  safe,  the  trace  is  monotone,  and  F)+ 1  is  inductive  relative  to 
F).  In  practice,  the  algorithm  enforces  monotonicity  by  maintaining  Fl+i  C  F,. 

Alg.  1  summarizes,  in  a  simplified  form,  a  variant  of  the  IC3  algorithm.  The 
algorithm  maintains  a  queue  of  counter-examples  Q.  Each  element  of  Q  is  a 
tuple  (m,  i )  where  to  is  a  monomial  over  v  and  0  <  i  <  N .  Intuitively,  (m,  i) 
means  that  a  state  m  can  reach  a  state  in  Bad  in  N  —  i  steps.  Initially,  Q  is 
empty,  N  =  0  and  Fq  =  Init.  Then,  the  rules  are  applied  (possibly  in  a  non- 
deterministic  order)  until  either  Unreachable  or  Reachable  rule  is  applicable. 
Unfold  rules  extends  the  current  trace  and  increases  the  level  at  which  coun¬ 
terexample  is  searched.  Candidate  picks  a  set  of  bad  states.  Decide  extends  a 
counter-example  from  the  queue  by  one  step.  Conflict  blocks  a  counterexample 
and  adds  a  new  lemma.  Leaf  moves  the  counterexample  to  the  next  level.  Fi¬ 
nally,  Induction  generalizes  a  lemma  inductively.  A  typical  schedule  of  the  rules 
is  to  first  apply  all  applicable  rules  except  for  Induction  and  Unfold,  followed 
by  Induction  at  all  levels,  then  Unfold,  and  then  repeating  the  cycle. 


Queue.  The  queue  is  ordered  by  the  level: 

(m,i)  <  ( n,j )  i  <  j  (7) 

This  drives  the  algorithm  to  the  shortest  counterexample. 


Inductive  Generalization.  The  Conflict  and  Induction  rules  are  based  on  the 
principle  of  inductive  generalization.  Let  Fq,  . . . ,  Fi, . . . ,  F.y  be  a  valid  trace,  and 
let  (f  be  a  clause  that  is  relatively  inductive  to  Fi: 

Init  ==>  ip  ip  A  Fi  A  Tr  =>  ip'  (8) 


Let  G  =  Go, . . .  ,Gn  be  defined  as  follows: 

Fj  U  {ip}  if  j  <  i  +  1 


G,  = 


F 


j  iii  +  l<j<N 


(9) 


Then  G  is  a  valid  trace.  The  proof  is  by  induction  on  i  and  follows  from  mono¬ 
tonicity  of  the  trace. 


Generalizing  predecessors.  The  Decide  rule  picks  a  predecessor  mo  in  Tr  of 
some  (partial)  state  to.  While  it  is  possible  to  simply  pick  a  predecessor  state, 
the  rule  attempts  to  And  a  generalized  predecessor  instead.  The  conditions  of  the 
rule  is  sufficient  to  ensure  that  Too  is  an  implicant  of  if)  =  (Fi  A  3X'  ■  (Tr  A  to')). 
Finding  a  prime  implicant  of  if)  would  have  been  even  better,  but  is  too  expensive 
in  practice. 


Input:  A  safety  problem  (Init(X),  Tr(X,  X'),  Bad(X)). 

Output:  Unreachable  or  Reachable 

Data:  A  cex  queue  Q,  where  a  cex  c£  Q  is  a  pair  ( m,i ),  m  is  a  conjunction  of 
constraints  over  state  variables,  and  i  £  N.  A  level  N.  A  trace  Fo,  Fi, . . . 
Notation:  F(A)  =  (A( X)  A  Tr)  V  Init(X'). 

All  rules  of  IC3/PDR  from  Alg.  1,  with  Decide  and  Conflict  replaced  by  the 
following: 

Decide  If  (P,i  +  1 )  £  Q  and  there  is  a  model  m(X,X')  s.t.  m  |=  F{Fi)  A  P’ ,  add 
{Pl,i)  to  Q,  where  P±  =  Mbp (X' ,m,F(Fi)  A  P'). 

Conflict  For  0  <  %  <  N,  given  a  counterexample  (P,  i  +  1}  £  Q  s.t.  J~(Fi)  A  P'  is 
unsatisfiable,  add  P ^  =  lTP(Jr(J7i)(A°,  X),  P)  to  Fj  for  j  <  i  +  1. 

Algorithm  2:  MPDR. 


Propagating  lemmas.  The  Induction  rule  propagates  lemmas  to  higher  level, 
optionally  generalizing  them  as  possible.  This  makes  the  trace  “more”  inductive, 
eventually  leading  to  convergence. 

Long  counterexamples.  The  Leaf  rule  lifts  blocked  counterexamples  to  higher 
levels.  As  a  side-effect,  it  makes  it  possible  to  discover  counterexamples  longer 
than  the  current  exploration  bound  N .  For  example,  assume  that  in  is  blocked 
at  level  i.  This  means  that  there  is  a  path  of  length  N  —  i  from  m  to  Bad  (but 
no  path  of  length  at  most  i  from  Init  to  m).  Assume  that  Leaf  lifted  m  to  level 
j  >  i,  and  then  in  was  reachable  from  Init.  Then,  the  discovered  counterexample 
is  a  concatenation  of  a  path  of  length  k  from  Init  to  m  and  a  path  of  length 
N  —  i  from  in  to  Bad.  The  total  length  of  the  counterexample  is  ( N  —  i  +  k) 
which  is  bigger  than  N . 

3  Extending  IC3/PDR  to  Theories 

Extending  IC3  to  theories  (such  as  Linear  Arithmetic)  requires  changing  Decide 
and  Conflict  rules  to  the  ones  shown  in  Alg.  2  [1],  The  Decide  rule  computes 
a  predecessor  using  an  under-approximation  of  existential  quantifier  elimination 
called  Model  Based  Projection  (MBP).  The  Conflict  computes  new  lemmas 
using  Craig  Interpolation  (ITP).  Note  that  Conflict  no  longer  based  on  the 
principle  of  inductive  generalization.  In  the  following,  we  briefly  define  MBP 
and  ITP. 

Model  Based  Projection.  Let  ip  be  a  formula,  U  C  Vars(ip)  a  subset  of  variables 
of  t p,  and  P  a  model  of  (p.  Then,  if)  =  Mbp(C/,  P,  p)  is  a  model  based  projection 
if  (a)  ip  is  a  monomial,  (b)  Varsptp)  C  Vars(<p)  \  U ,  (c)  P  \=  ip,  (d )  ip  BV  •  p. 
Furthermore,  for  a  fixed  U  and  a  fixed  p,  Mbp  is  finite.  In  [5],  an  MBP  function 
is  defined  for  LRA  based  on  Loos-Weispfenning  quantifier  elimination.  Note  that 
finiteness  of  MBP  ensures  that  Decide  can  only  be  applied  finitely  many  times 
for  a  fixed  set  of  lemmas  Ft . 


Input:  A  safety  problem  (Init(X),  Tr(X,  X° ,  X'),  Bad(X)) . 

Output:  Unreachable  or  Reachable 

Data:  A  cex  queue  Q,  where  a  cex  (co, . . . ,  Ck)  €  Q  is  a  tuple,  each  c,  =  (m,  i) , 
m  is  a  cube  over  state  variables,  and  i  £  N.  A  level  N.  A  trace  Fo,  Fi, . . . 
Notation:  F(A,  B)  =  Init(X')  V  (A(X)  A  B(X°)  A  Tr),  and  F(A)  =  F(A ,  A) 

Initially:  Q  =  0,  N  =  0,  Fo  =  Init,  Mi  >  0  ■  Fi  =  0 

Require:  Init  — >  -^Bad 

repeat 

Unreachable  If  there  is  an  i  <  N  s.t.  F*+ 1  C  F,  return  Unreachable. 

Reachable  if  exists  t  £  Q  s.t.  for  all  (c,  i)  €t,  i  =  0,  return  Reachable. 

Unfold  If  Fjv  — *  -<Bad,  then  set  N  <—  N  +  1  and  Q  <—  0. 

Candidate  If  for  some  m,  m  — >  Fn  A  Bad,  then  add  {(m,  N))  to  Q. 

Decide  If  there  is  a  t  £  Q,  with  c  =  ( m ,  i  +  1}  £  t,  m\  — >  m,  lo  A  mj)  A  mi  is 

satishable,  and  lo  A  m§  A  mi  — >■  Fi  A  F°  A  Tr  Am'  then  add  t  to  Q,  where  £  =  t 

with  c  replaced  by  two  tuples  (Zo,*),  and  (mo,  i). 

Conflict  If  there  is  a  t  £  Q  with  c  =  (m,  i  +  1)  £  t,  s.t.  F(Fi)  A  m!  is  unsatisfiable. 
Then,  add  =  Itp (F(Fi),m')  to  Fj,  for  all  0  <  j  <  i  +  1. 

Leaf  If  there  is  t  £  Q  with  c  =  (m,  *}  £  t,  0  <  i  <  N  and  F(F;_i)  A  m'  is 
unsatisfiable,  then  add  t  to  Q,  where  t  is  t  with  c  replaced  by  (m,  i  +  1). 

Induction  For  0  <  i  <  N  and  a  clause  (ip  V  i/>)  £  Fi,  if  p  qL  Fj+i,  F{<j>  A  Fi)  <f>' , 

then  add  ip  to  Fj,  for  all  j  <  i  +  1. 

until  oo ; 

Algorithm  3:  GPDR. 


Craig  Interpolation.  Given  two  formulas  A[x,  z ]  and  B[y,  z]  such  that  A  A  B  is 
unsatisfiable,  a  Craig  interpolant  I[z\  =  Itf{A[x,  z\,  B[y,  z\),  is  a  formula  such 
that  A[x,  z ]  — »•  I[z\  and  I[z]  -A  ~^B[y,  z].  We  further  require  that  the  interpolant 
is  a  clause.  An  algorithm  for  extracting  LRA  clause  interpolants  from  the  theory 
lemmas  produced  during  DPLL(T)  proof  is  given  in  [4]. 

4  Generalized  PDR 

GPDR  algorithm  [4]  shown  in  Alg.  3  extends  IC3/PDR  to  non-linear  CHC  and  to 
constraints  over  Linear  Rational  Arithmetic  (LRA).  The  main  difference  is  that 
each  element  of  the  queue  Q  is  a  tuple  of  counterexamples.  Intuitively,  the  tuple 
corresponds  to  leafs  of  a  counterexample  tree.  Each  application  of  the  Decide 
rule  expands  one  leaf  of  a  counterexample.  The  extension  to  Linear  Arithmetic 
is  via  the  use  of  interpolation  in  the  Conflict  rule.  However,  since  Decide  is 
based  on  projection,  GPDR  is  incomplete  for  LRA.  That  is,  it  might  get  stuck 
alternating  between  Decide  and  Conflict  rules,  never  making  progress. 

This  version  of  GPDR  does  not  cache  reachability  information.  Hence,  it 
might  need  to  expand  the  derivation  tree  completely  to  find  a  a  counterexample. 
Thus,  it  is  worst  case  exponential  even  for  CHC  over  propositional  constraints. 


Input:  A  safety  problem  (Init(X),  Tr(X,  X° ,  X'),  Bad(X)) . 

Output:  Unreachable  or  Reachable 

Data:  A  cex  queue  Q,  where  a  cex  c  €  Q  is  a  pair  (m,  i),  m  is  a  cube  over  state 
variables,  and  i  £  N.  A  level  N .  A  set  of  reachable  states  Reach.  A  trace 
F0,FU... 

Notation:  F(A,  B)  =  Init(X')  V  (A(X)  A  B(X°)  A  Tr),  and  F{A)  =  F{A,  A) 

Initially:  Q  =  0,  N  =  0,  Fo  =  Init,  Vi  >  0  ■  Ft  =  0,  Reach  =  Init 

Require:  Init  — ►  -> Bad 

repeat 

Unreachable  If  there  is  an  i  <  N  s.t.  Fi+ 1  C  Ft  return  Unreachable. 

Reachable  If  Reach  A  Bad  is  satishable,  return  Reachable. 

Unfold  If  Fn  — *  -<Bad,  then  set  N  <—  N  +  1  and  Q  ■£-  0. 

Candidate  If  for  some  m,  m  — >  Fjv  A  Rad,  then  add  (m,  A)  to  Q. 

Successor  If  there  is  (m,  i  +  1}  £  Q  and  a  model  M  M  |=  ip,  where 

ip  =  J'(VReach)  A  m! .  Then,  add  s  to  Reach,  where  s'  £  Mbp({X,  X°},  ip). 

DecideMust  If  there  is  (m,  i  +  1}  £  Q,  and  a  model  M  M  |=  ip,  where 

ip  =  J-(Fi,  VReach)  A  m! .  Then,  add  s  to  Q,  where  s  £  Mbp({A'°,  X'},  ip). 

DecideMay  If  there  is  (m,  i  +  1}  £  Q  and  a  model  M  M  |=  ip,  where 
ip  =  PF(Fi)  A  m' .  Then,  add  s  to  Q,  where  s°  £  Mbp({X,  X'},  ip). 

Conflict  If  there  is  an  ( m,i  +  1}  £  Q,  s.t.  F(F,)  A  m'  is  unsatishable.  Then,  add 
ip  =  Itp (F(Fi),  m1)  to  Fj,  for  all  0  <  j  <  i  +  1. 

Leaf  If  (to,  i)£Q,0<i<N  and  F(Fi- 1)  A  m'  is  unsatishable,  then  add  (to,  i  +  1) 
to  Q. 

Induction  For  0  <  i  <  N  and  a  clause  (ip  V  ip)  £  Fi,  if  p  0  Fi+i,  F{<p  A  FP)  — >  <p' , 
then  add  ip  to  Fj,  for  all  J  <  i  +  1. 

until  oo ; 

Algorithm  4:  Rule-based  description  of  Spacer. 


5  Spacer 


Spacer  [5],  shown  in  Alg.  4  extends  APDR  to  non-linear  CHC.  Unlike  other 
variants  of  IC3/PDR  discussed  so  far,  it  maintains  the  set  of  reachable  states 
Reach.  This  set  is  used,  among  other  things,  to  cache  reachability  information. 

We  briefly  outline  the  key  difference  between  Spacer  and  APDR.  First,  the 
Reachable  rule  checks  whether  a  Bad  state  became  reachable.  This  is  inefficient 
for  linear  CHC  since  reachability  is  known  before  the  Reach  set  is  computed. 

The  single  Decide  rule  of  APDR  is  replaced  by  three  rules:  Successor, 
DecideMust,  and  DecideMay.  DecideMay  is  most  similar  to  Decide.  De¬ 
cideMust  uses  reachability  cache  to  skip  over  right-most  predicate  application. 
Successor  uses  reachability  cache  to  compute  a  new  reachable  state. 

For  linear  CHC,  Spacer  is  equivalent  to  APDR. 
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